# {{ ansible_managed }}

Listen {{ keystone_service_port }}
<VirtualHost {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}>

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    LogLevel  {{  keystone_apache_log_level }}
    # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
    ErrorLog  {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
    CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
    Options +FollowSymLinks

    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Content-Security-Policy "default-src 'self' https: wss:;"
    {% if keystone_sp != {} -%}
    Header set Content-Security-Policy "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';"
    {% endif -%}
    Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"

    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
    {% if keystone_user_ssl_ca_cert is defined -%}
    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
    {% endif -%}
    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
    SSLOptions +StdEnvVars +ExportCertData
    {% endif -%}
    {% if keystone_sp_apache_mod_auth_openidc -%}
    OIDCClaimPrefix "{{ keystone_sp.trusted_idp_list.0.oidc_claim_prefix | default('OIDC-') }}"
    OIDCResponseType "{{ keystone_sp.trusted_idp_list.0.oidc_resp_type | default('id_token') }}"
    OIDCScope "{{ keystone_sp.trusted_idp_list.0.idc_scope | default('openid email profile') }}"
    OIDCProviderMetadataURL {{ keystone_sp.trusted_idp_list.0.oidc_provider_metadata_url }}
    OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
    OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
    OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
    OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
    {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}
    OIDCOAuthVerifyJwksUri {{ keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri }}
    {% endif %}

    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
      Require valid-user
      AuthType auth-openidc
    </Location>

    <Location /v3/auth/OS-FEDERATION/websso/openid>
      Require valid-user
      AuthType openid-connect
    </Location>

    <Location /v3/auth/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/websso>
      Require valid-user
      AuthType openid-connect
    </Location>
    {% endif %}
    {%- if keystone_sp_apache_mod_shib -%}
    ShibURLScheme {{ keystone_service_publicuri_proto }}

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>

    <Location /v3/auth/OS-FEDERATION/websso/saml2>
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibRequestSetting exportAssertion 1
        ShibRequireSession On
        ShibExportAssertion On
        Require valid-user
    </Location>

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user
    </LocationMatch>
    {% endif %}

    {% if keystone_sp != {} -%}
    <Directory /var/www/cgi-bin/keystone>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    {% endif %}

    {% if keystone_sp_apache_mod_shib -%}
    ProxyPass /Shibboleth.sso !
    {% endif -%}

    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/

</VirtualHost>

ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
